Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

nifi registry security - able to login with certs but not geeting login page

avatar
Contributor

nifi registry security - able to login with certs but not getting login page when canceling certs 

 

updated login-identity-provider.xml as below not sure what is missing 


<identityProviders>
<provider>
<identifier>ldap-provider</identifier>
<class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>
<property name="Authentication Strategy">SIMPLE</property>
<property name="Manager DN">xxxxxxxx</property>
<property name="Manager Password">>xxxxxxxx</property>
<property name="TLS - Keystore"></property>
<property name="TLS - Keystore Password"></property>
<property name="TLS - Keystore Type"></property>
<property name="TLS - Truststore"></property>
<property name="TLS - Truststore Password"></property>
<property name="TLS - Truststore Type"></property>
<property name="TLS - Client Auth"></property>
<property name="TLS - Protocol"></property>
<property name="TLS - Shutdown Gracefully"></property>
<property name="Referral Strategy">FOLLOW</property>
<property name="Connect Timeout">10 secs</property>
<property name="Read Timeout">10 secs</property>
<property name="Url">ldap://abc:389</property>
<property name="User Search Base">OU=managed,DC=ams,DC=xx,DC=com</property>
<property name="User Search Filter">sAMAccountName={0}</property>
<property name="Identity Strategy">USE_USERNAME</property>
<property name="Authentication Expiration">12 hours</property>
<property name="Sync Interval">30 secs</property>
</provider>
</identityProviders>

 

please let me know what is missing here 

2 ACCEPTED SOLUTIONS

avatar
Super Mentor

@venkatesh_kanch 

 

Make sure you have configured "nifi.registry.security.needClientAuth=false".
When not set it defaults to true.

NeedClientAuth=true tells NiFi that in the TLS handshake it will "require" client to present a client side certificate.  If one is not presented, the connection will just close and NiFi-Registry will never try any other authentication method.

This property must be set to false in order for NiFi-Registry to support any authentication method other than TLS.

Hope this gets you going,

Matt

View solution in original post

avatar
Super Mentor

@venkatesh_kanch 

Since you are asking a new question unrelated to the question asked in the original subject, I kindly ask that you start a new question.  Would be happy to help.  Asking multiple questions in one thread makes a thread harder to follow for other users of this community forum.

If you feel this question subject has been answered, please accept a solution provided to close out this thread.

Thank you,

Matt

View solution in original post

6 REPLIES 6

avatar
Super Mentor

@venkatesh_kanch 

Simply configuring the ldap-provider in the identity-providers.xml file will not result in NiFi-Registry using it.
Make sure you have set the following property in the nifi-registry.properties file:

nifi.registry.security.identity.provider=ldap-provider


This tells NiFi to use the "ldap-provider" configured in that file.

Also make sure the file is named "identity-providers.xml" and not "login-identity-providers.xml".   NiFi-Registry uses the former while NiFi uses the latter identity providers filename.

One other things to consider... If NiFi-Registry is configured to support Spnego:

nifi.registry.kerberos.spnego.authentication.expiration=12 hours
nifi.registry.kerberos.spnego.keytab.location=
nifi.registry.kerberos.spnego.principal=

Spnego auth will be attempted before any configured identity provider.  So all it takes is to have Spnego enabled in your browser and NiFi-Registry to be setup to support Spnego auth and you will not see login page as well.  If you do not have Spnego enabled in your browser, then this is not your issue because even if configured if browser does not return Spengo creds, NiFi-Registry will move on to next configured authentication provider.

 

Hope this helps,

Matt

avatar
Contributor

@Matt 

yes, updated nifi-reg.properties file

nifi.registry.security.identity.provider=ldap-provider

 but still no luck 

 

# security properties #

nifi.registry.security.keystore=./conf/keystore.jks
nifi.registry.security.keystoreType=jks
nifi.registry.security.keystorePasswd=xxxxxxxx
nifi.registry.security.keyPasswd=xxxxxx
nifi.registry.security.truststore=./conf/truststore.jks
nifi.registry.security.truststoreType=jks
nifi.registry.security.truststorePasswd=xxxxxxxxxxx
nifi.registry.security.user.authorizer=managed-authorizer
#nifi.registry.security.user.login.identity.provider=ldap-identity-provider


nifi.registry.security.needClientAuth=

nifi.registry.security.authorizers.configuration.file=./conf/authorizers.xml
nifi.registry.security.authorizer=managed-authorizer
nifi.registry.security.identity.providers.configuration.file=./conf/identity-providers.xml
nifi.registry.security.identity.provider=ldap-provider

 

avatar
Contributor

do i need to configure authorization.xml to get the login page alone?

please advice. Thanks!

avatar
Super Mentor

@venkatesh_kanch 

 

Make sure you have configured "nifi.registry.security.needClientAuth=false".
When not set it defaults to true.

NeedClientAuth=true tells NiFi that in the TLS handshake it will "require" client to present a client side certificate.  If one is not presented, the connection will just close and NiFi-Registry will never try any other authentication method.

This property must be set to false in order for NiFi-Registry to support any authentication method other than TLS.

Hope this gets you going,

Matt

avatar
Contributor

@MattWho 

this really helps, now i am getting login page once after the setting the value to false 

nifi.registry.security.needClientAuth=false

 

Really Appreciate it.

 

Can you help to configure file-based user authorizations as well in authorizers.xml

 

i hope below part should be enough 

 

userGroupProvider>
<identifier>file-user-group-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileUserGroupProvider</class>
<property name="Users File">./conf/users.xml</property>
<property name="Initial User Identity 1">CN=sys_admin, OU=RegPoc</property>
</userGroupProvider>

 

<accessPolicyProvider>
<identifier>file-access-policy-provider</identifier>
<class>org.apache.nifi.registry.security.authorization.file.FileAccessPolicyProvider</class>
<property name="User Group Provider">file-user-group-provider</property>
<property name="Authorizations File">./conf/authorizations.xml</property>
<property name="Initial Admin Identity">CN=sys_admin, OU=RegPoc</property>

<!--<property name="NiFi Identity 1"></property>-->
</accessPolicyProvider>

 

what should be the node identity here ?

avatar
Super Mentor

@venkatesh_kanch 

Since you are asking a new question unrelated to the question asked in the original subject, I kindly ask that you start a new question.  Would be happy to help.  Asking multiple questions in one thread makes a thread harder to follow for other users of this community forum.

If you feel this question subject has been answered, please accept a solution provided to close out this thread.

Thank you,

Matt